
R1(config)# interface FastEthernet0/0
R1(config-if)# ip access-group 120 in
C. R1(config)# access-list 120 deny ip any host 10.0.0.255 log
R1(config)# access-list 120 permit ip any 10.0.0.0 0.0.0.255 log
R1(config)# interface Serial0/0
R1(config-if)# ip access-group 120 in
D. R1(config)# access-list 120 deny udp 10.0.0.0 0.0.255.255 host 255.255.255.255 eq 512
R1(config)# interface Serial0/0
R1(config-if)# ip access-group 120 in
Answer: B
Explanation:
The TCP SYN Attack
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start)
packet from a source host and sends back a SYN ACK (synchronize acknowledge). The
destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is
established. This is referred to as the "TCP three-way handshake."
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination
host keeps track of connections waiting to be completed. This queue typically empties quickly
since the ACK is expected to arrive a few milliseconds after the SYN ACK.
The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN
packets with random source addresses toward a victim host. The victim destination host sends a
SYN ACK back to the random source address and adds an entry to the connection queue. Since
the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way
handshake" is never completed and the entry remains in the connection queue until a timer
expires, typically for about one minute. By generating phony TCP SYN packets from random IP
addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services
(such as e-mail, file transfer, or WWW) to legitimate users.
There is no easy way to trace the originator of the attack because the IP address of the source is
forged.
In this example, this type of attack could be stopped since we are allowing only traffic that was
originated by the internal (fa0/0) network destined to the R1 branch network with the use of the
"established" keyword.
QUESTION NO: 3
This item contains several questions that you must answer. You can view these questions by
clicking on the Questions button to the left. Changing questions can be accomplished by clicking
the numbers to the left of each question. In order to complete the questions, you will need to refer
to the SDM and the topolgy, neither of which is currently visible.
Cisco 642-825: Practice Exam
3
http://certkill.com